Guys,
someone may be interested in this Spring MVC related paper
(CVE-2011-2730) "Expression Language Injection":
http://blog.mindedsecurity.com/2011/09/expression-language-injection.html
Vulnerable app and server side examples:
http://68.169.49.40:18080/ELInjection/demo.htm
Client side Poc example:
http://www.wisec.it/spring/springopt.html
Official fix/statement from SpringSource:
http://www.springsource.com/security/cve-2011-
Cheers,
Stefano
Ps. sorry for cross post :)
--
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer
Owasp Italy R&D Director
Web: www.wisec.it
Twitter: http://twitter.com/WisecWisec
Work: http://www.mindedsecurity.com
Blog: http://blog.mindedsecurity.com
..................
Guys,
someone may be interested in this Spring MVC related paper
(CVE-2011-2730) "Expression Language Injection":
http://blog.mindedsecurity.com/2011/09/expression-language-injection.html
Vulnerable app and server side examples:
http://68.169.49.40:18080/ELInjection/demo.htm
Client side Poc example:
http://www.wisec.it/spring/springopt.html
Official fix/statement from SpringSource:
http://www.springsource.com/security/cve-2011-
Cheers,
Stefano
Ps. sorry for cross post :)
--
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer
Owasp Italy R&D Director
Web: www.wisec.it
Twitter: http://twitter.com/WisecWisec
Work: http://www.mindedsecurity.com
Blog: http://blog.mindedsecurity.com
..................